Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06-01-2025 02:54

General

  • Target

    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe

  • Size

    71.7MB

  • MD5

    6da280fb9c2da7913e9c801b4de02f47

  • SHA1

    119298d4791194344e819d512638165a1517525b

  • SHA256

    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99

  • SHA512

    78f66c181d572bd0a12b748770578bb85b8c447c3fbc686d19b61bc226f185f512b6a3176fd04f147a5531fa281804b5fb393c3d30d0e6cd4a131d1c2ab5fe86

  • SSDEEP

    12288:FRjEparvru3GWf+6vk7A5oI+3qYc40Y+wyNdl3sT9xvgihDqOn0JroELnF0soYqn:/Eaq3GWZvkWoQk0y

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

https://swingybeattyz.sbs/api

Extracted

Family

lumma

C2

https://swingybeattyz.sbs/api

https://abruptyopsn.shop/api

https://wholersorie.shop/api

https://framekgirus.shop/api

https://tirepublicerj.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

https://cloudewahsj.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    "C:\Users\Admin\AppData\Local\Temp\8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:2084

Network

  • flag-us
    DNS
    swingybeattyz.sbs
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    Remote address:
    8.8.8.8:53
    Request
    swingybeattyz.sbs
    IN A
    Response
    swingybeattyz.sbs
    IN A
    104.21.57.130
    swingybeattyz.sbs
    IN A
    172.67.163.221
  • flag-us
    POST
    https://swingybeattyz.sbs/api
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    Remote address:
    104.21.57.130:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: swingybeattyz.sbs
    Response
    HTTP/1.1 200 OK
    Date: Mon, 06 Jan 2025 02:54:22 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=7dfmapje5feb4keljfs39et4hu; expires=Thu, 01 May 2025 20:41:01 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hEsWHsM4pXmWWgQfhvax7U7Xhfq6KMH5GU0x%2BElsEWMxHmOVdE4CyQSwUoAXok%2FX8yq8gmRtp7ijG88dzlEr2LsbiPEKYW0iyXKfvj0BLFyiyHLEOmnHB1e0CYUFpQ%2BN3NWGXw%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8fd86c4b09059427-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=63875&min_rtt=59370&rtt_var=20744&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2861&recv_bytes=585&delivery_rate=61161&cwnd=253&unsent_bytes=0&cid=a0e698d7cdb54836&ts=316&x=0"
  • flag-us
    DNS
    nearycrepso.shop
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    Remote address:
    8.8.8.8:53
    Request
    nearycrepso.shop
    IN A
    Response
  • flag-us
    DNS
    abruptyopsn.shop
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    Remote address:
    8.8.8.8:53
    Request
    abruptyopsn.shop
    IN A
    Response
    abruptyopsn.shop
    IN A
    104.21.80.1
    abruptyopsn.shop
    IN A
    104.21.96.1
    abruptyopsn.shop
    IN A
    104.21.16.1
    abruptyopsn.shop
    IN A
    104.21.112.1
    abruptyopsn.shop
    IN A
    104.21.32.1
    abruptyopsn.shop
    IN A
    104.21.64.1
    abruptyopsn.shop
    IN A
    104.21.48.1
  • flag-us
    POST
    https://abruptyopsn.shop/api
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    Remote address:
    104.21.80.1:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: abruptyopsn.shop
    Response
    HTTP/1.1 200 OK
    Date: Mon, 06 Jan 2025 02:54:22 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=gbm2apoi6msaloaajigu1rk5v6; expires=Thu, 01 May 2025 20:41:01 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qKSQWtjUHF0AJ1aGmVf%2FA8FsrbwgWgrW8gvU0g7IDgxymR62gePYqnoay58P7rSEJKd7n4mmDjSSi9QbC9sl1d82qmLtD3MndAEGxhqpeVCx8Rzdf7KyrnGRbL7i24yPgDuY"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8fd86c50bf32776b-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=60028&min_rtt=59107&rtt_var=18441&sent=7&recv=9&lost=0&retrans=1&sent_bytes=3128&recv_bytes=584&delivery_rate=61579&cwnd=253&unsent_bytes=0&cid=4c236a8ccabfba66&ts=664&x=0"
  • flag-us
    DNS
    wholersorie.shop
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    Remote address:
    8.8.8.8:53
    Request
    wholersorie.shop
    IN A
    Response
    wholersorie.shop
    IN A
    104.21.41.51
    wholersorie.shop
    IN A
    172.67.160.114
  • flag-us
    POST
    https://wholersorie.shop/api
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    Remote address:
    104.21.41.51:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: wholersorie.shop
    Response
    HTTP/1.1 200 OK
    Date: Mon, 06 Jan 2025 02:54:23 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=l5dl06bdra6lt7797gfh63b4f2; expires=Thu, 01 May 2025 20:41:02 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dfsRDyccfyV9Fa5639DaF6iyp3Dy6Yw8AgQAbSNMWtFDsVmpsd%2BZOVUw5%2F7uruAurE4JAJdTtuUnvMMqCILhC8v%2FkY%2Fmzv%2BWMVOdi2c%2BCLnyWXpyx0DiQ1Vfg3lwZYDCvlcO"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8fd86c53c878d1fa-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=60871&min_rtt=59315&rtt_var=15225&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2858&recv_bytes=584&delivery_rate=62059&cwnd=253&unsent_bytes=0&cid=48ba223a72c35cb6&ts=308&x=0"
  • flag-us
    DNS
    framekgirus.shop
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    Remote address:
    8.8.8.8:53
    Request
    framekgirus.shop
    IN A
    Response
    framekgirus.shop
    IN A
    172.67.179.160
    framekgirus.shop
    IN A
    104.21.18.19
  • flag-us
    POST
    https://framekgirus.shop/api
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    Remote address:
    172.67.179.160:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: framekgirus.shop
    Response
    HTTP/1.1 200 OK
    Date: Mon, 06 Jan 2025 02:54:23 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=k9ema84ucueqebfoa576ch6rnq; expires=Thu, 01 May 2025 20:41:02 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QuvSNIAuhLnBmepssQ7KIaMNa47rKsPgQuz%2FugHl1giOnOPViYUjkFbOo75%2FrX%2FR7bL7c74Xwk9vcvFHp3t1LLmgwNXVzve4zdwU9wAtGujxh%2B3dLsu3tPoAAwGX%2BQ8qRieZ"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8fd86c56ebae419b-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=61420&min_rtt=59453&rtt_var=15491&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2857&recv_bytes=584&delivery_rate=59587&cwnd=249&unsent_bytes=0&cid=76e636a20f409127&ts=300&x=0"
  • flag-us
    DNS
    tirepublicerj.shop
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    Remote address:
    8.8.8.8:53
    Request
    tirepublicerj.shop
    IN A
    Response
    tirepublicerj.shop
    IN A
    104.21.80.1
    tirepublicerj.shop
    IN A
    104.21.64.1
    tirepublicerj.shop
    IN A
    104.21.96.1
    tirepublicerj.shop
    IN A
    104.21.16.1
    tirepublicerj.shop
    IN A
    104.21.32.1
    tirepublicerj.shop
    IN A
    104.21.48.1
    tirepublicerj.shop
    IN A
    104.21.112.1
  • flag-us
    POST
    https://tirepublicerj.shop/api
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    Remote address:
    104.21.80.1:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: tirepublicerj.shop
    Response
    HTTP/1.1 200 OK
    Date: Mon, 06 Jan 2025 02:54:24 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=c15rr9kr5ii1ja10d9mfmiekgh; expires=Thu, 01 May 2025 20:41:03 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gOsOTn2v04irl6%2F7BnDbGbkhKXVSkqcgp%2BCmnEd1XauH1NH%2BUqZGGQDV%2BSumSZGNDxxt2fLTPDh2IJL9MLKOnw%2FOZMvXjqQOXru0NNdMKVDL6EBMG%2Fx7CU7UB0ZHa9C0zHWkJ%2Bs%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8fd86c59e832f650-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=60551&min_rtt=59138&rtt_var=14905&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2861&recv_bytes=586&delivery_rate=62540&cwnd=253&unsent_bytes=0&cid=124858c5510e5d26&ts=307&x=0"
  • flag-us
    DNS
    noisycuttej.shop
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    Remote address:
    8.8.8.8:53
    Request
    noisycuttej.shop
    IN A
    Response
    noisycuttej.shop
    IN A
    104.21.71.146
    noisycuttej.shop
    IN A
    172.67.170.178
  • flag-us
    POST
    https://noisycuttej.shop/api
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    Remote address:
    104.21.71.146:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: noisycuttej.shop
    Response
    HTTP/1.1 200 OK
    Date: Mon, 06 Jan 2025 02:54:24 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=3k25q1tmercavlp2h65dmb29nf; expires=Thu, 01 May 2025 20:41:03 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OJ9JKKvN2vqMFNXl8ikgGOEGL%2BrzH7tXholEcF09i0P6j1r5%2BY5KQTmEuZVimKJpI1B4W0wa92xyscMUnp%2BRi2UVG5%2BlhAlfCGNzpijzppsatuVbgws%2F%2Bi0%2BHwyij3QAhbIO"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8fd86c5d0d27bd7f-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=61836&min_rtt=59913&rtt_var=15600&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2859&recv_bytes=584&delivery_rate=60559&cwnd=253&unsent_bytes=0&cid=022d827465361ee4&ts=308&x=0"
  • flag-us
    DNS
    rabidcowse.shop
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    Remote address:
    8.8.8.8:53
    Request
    rabidcowse.shop
    IN A
    Response
    rabidcowse.shop
    IN A
    104.21.7.224
    rabidcowse.shop
    IN A
    172.67.156.127
  • flag-us
    POST
    https://rabidcowse.shop/api
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    Remote address:
    104.21.7.224:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: rabidcowse.shop
    Response
    HTTP/1.1 200 OK
    Date: Mon, 06 Jan 2025 02:54:25 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=6avkk7timia1369pin3an2one0; expires=Thu, 01 May 2025 20:41:04 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4CH84zBEyhYgk89Wdjhs53SqwGiyESDiGVac83Mq%2BzWk5VmMAUxInKExrty3G7KaK7Jjo5T3uiX2MWH8%2F95oSouDP0opsHTBitN9OoN%2FyaNdzMlvxY4fbSteSeC0QZDRDKQ%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8fd86c601f546556-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=60897&min_rtt=59597&rtt_var=14737&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2853&recv_bytes=583&delivery_rate=61405&cwnd=246&unsent_bytes=0&cid=237a21c661663950&ts=294&x=0"
  • flag-us
    DNS
    cloudewahsj.shop
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    Remote address:
    8.8.8.8:53
    Request
    cloudewahsj.shop
    IN A
    Response
    cloudewahsj.shop
    IN A
    104.21.96.1
    cloudewahsj.shop
    IN A
    104.21.80.1
    cloudewahsj.shop
    IN A
    104.21.64.1
    cloudewahsj.shop
    IN A
    104.21.48.1
    cloudewahsj.shop
    IN A
    104.21.16.1
    cloudewahsj.shop
    IN A
    104.21.112.1
    cloudewahsj.shop
    IN A
    104.21.32.1
  • flag-us
    POST
    https://cloudewahsj.shop/api
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    Remote address:
    104.21.96.1:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: cloudewahsj.shop
    Response
    HTTP/1.1 200 OK
    Date: Mon, 06 Jan 2025 02:54:25 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=ugv597ae3umfo7h6mic2m9ejl0; expires=Thu, 01 May 2025 20:41:04 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o9LZMaTm8artw1Vf5stuP83Tr5ShkaaRtrYwVkrtqPzgrFOa65qeV2uxyuZH%2BGg%2BXO%2BW%2FZYt6kWpnqOFOlkY0vaLtwe06d9pBLfpY%2FRq6u8FdRsry3w1PN%2BmyGG%2BxL6LmqYO"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8fd86c632a8f6532-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=63057&min_rtt=59480&rtt_var=16198&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2852&recv_bytes=584&delivery_rate=59509&cwnd=253&unsent_bytes=0&cid=8911cb2a6185b69b&ts=315&x=0"
  • flag-us
    DNS
    steamcommunity.com
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    Remote address:
    8.8.8.8:53
    Request
    steamcommunity.com
    IN A
    Response
    steamcommunity.com
    IN A
    23.214.143.155
  • flag-gb
    GET
    https://steamcommunity.com/profiles/76561199724331900
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    Remote address:
    23.214.143.155:443
    Request
    GET /profiles/76561199724331900 HTTP/1.1
    Connection: Keep-Alive
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Host: steamcommunity.com
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
    Expires: Mon, 26 Jul 1997 05:00:00 GMT
    Cache-Control: no-cache
    Date: Mon, 06 Jan 2025 02:54:26 GMT
    Content-Length: 35588
    Connection: keep-alive
    Set-Cookie: sessionid=c7bd66fa29d6ecf2a57cd453; Path=/; Secure; SameSite=None
    Set-Cookie: steamCountry=GB%7C7d625a3b038bb98f68b4e14dac147806; Path=/; Secure; HttpOnly; SameSite=None
  • flag-us
    DNS
    lev-tolstoi.com
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    Remote address:
    8.8.8.8:53
    Request
    lev-tolstoi.com
    IN A
    Response
  • 104.21.57.130:443
    https://swingybeattyz.sbs/api
    tls, http
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    981 B
    4.5kB
    9
    9

    HTTP Request

    POST https://swingybeattyz.sbs/api

    HTTP Response

    200
  • 104.21.80.1:443
    https://abruptyopsn.shop/api
    tls, http
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    1.1kB
    4.8kB
    11
    10

    HTTP Request

    POST https://abruptyopsn.shop/api

    HTTP Response

    200
  • 104.21.41.51:443
    https://wholersorie.shop/api
    tls, http
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    980 B
    4.5kB
    9
    9

    HTTP Request

    POST https://wholersorie.shop/api

    HTTP Response

    200
  • 172.67.179.160:443
    https://framekgirus.shop/api
    tls, http
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    980 B
    4.4kB
    9
    9

    HTTP Request

    POST https://framekgirus.shop/api

    HTTP Response

    200
  • 104.21.80.1:443
    https://tirepublicerj.shop/api
    tls, http
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    982 B
    4.5kB
    9
    9

    HTTP Request

    POST https://tirepublicerj.shop/api

    HTTP Response

    200
  • 104.21.71.146:443
    https://noisycuttej.shop/api
    tls, http
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    980 B
    4.5kB
    9
    9

    HTTP Request

    POST https://noisycuttej.shop/api

    HTTP Response

    200
  • 104.21.7.224:443
    https://rabidcowse.shop/api
    tls, http
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    979 B
    4.4kB
    9
    9

    HTTP Request

    POST https://rabidcowse.shop/api

    HTTP Response

    200
  • 104.21.96.1:443
    https://cloudewahsj.shop/api
    tls, http
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    980 B
    4.5kB
    9
    9

    HTTP Request

    POST https://cloudewahsj.shop/api

    HTTP Response

    200
  • 23.214.143.155:443
    https://steamcommunity.com/profiles/76561199724331900
    tls, http
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    1.6kB
    43.0kB
    23
    37

    HTTP Request

    GET https://steamcommunity.com/profiles/76561199724331900

    HTTP Response

    200
  • 8.8.8.8:53
    swingybeattyz.sbs
    dns
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    63 B
    95 B
    1
    1

    DNS Request

    swingybeattyz.sbs

    DNS Response

    104.21.57.130
    172.67.163.221

  • 8.8.8.8:53
    nearycrepso.shop
    dns
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    62 B
    119 B
    1
    1

    DNS Request

    nearycrepso.shop

  • 8.8.8.8:53
    abruptyopsn.shop
    dns
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    62 B
    174 B
    1
    1

    DNS Request

    abruptyopsn.shop

    DNS Response

    104.21.80.1
    104.21.96.1
    104.21.16.1
    104.21.112.1
    104.21.32.1
    104.21.64.1
    104.21.48.1

  • 8.8.8.8:53
    wholersorie.shop
    dns
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    62 B
    94 B
    1
    1

    DNS Request

    wholersorie.shop

    DNS Response

    104.21.41.51
    172.67.160.114

  • 8.8.8.8:53
    framekgirus.shop
    dns
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    62 B
    94 B
    1
    1

    DNS Request

    framekgirus.shop

    DNS Response

    172.67.179.160
    104.21.18.19

  • 8.8.8.8:53
    tirepublicerj.shop
    dns
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    64 B
    176 B
    1
    1

    DNS Request

    tirepublicerj.shop

    DNS Response

    104.21.80.1
    104.21.64.1
    104.21.96.1
    104.21.16.1
    104.21.32.1
    104.21.48.1
    104.21.112.1

  • 8.8.8.8:53
    noisycuttej.shop
    dns
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    62 B
    94 B
    1
    1

    DNS Request

    noisycuttej.shop

    DNS Response

    104.21.71.146
    172.67.170.178

  • 8.8.8.8:53
    rabidcowse.shop
    dns
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    61 B
    93 B
    1
    1

    DNS Request

    rabidcowse.shop

    DNS Response

    104.21.7.224
    172.67.156.127

  • 8.8.8.8:53
    cloudewahsj.shop
    dns
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    62 B
    174 B
    1
    1

    DNS Request

    cloudewahsj.shop

    DNS Response

    104.21.96.1
    104.21.80.1
    104.21.64.1
    104.21.48.1
    104.21.16.1
    104.21.112.1
    104.21.32.1

  • 8.8.8.8:53
    steamcommunity.com
    dns
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    64 B
    80 B
    1
    1

    DNS Request

    steamcommunity.com

    DNS Response

    23.214.143.155

  • 8.8.8.8:53
    lev-tolstoi.com
    dns
    8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
    61 B
    134 B
    1
    1

    DNS Request

    lev-tolstoi.com

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CabD3C.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarD4F.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • memory/2084-0-0x0000000001E10000-0x0000000001E66000-memory.dmp

    Filesize

    344KB

  • memory/2084-1-0x0000000001E10000-0x0000000001E66000-memory.dmp

    Filesize

    344KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.